From ef0d7177b680394e6a2991843b00ca1222f93a48 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Fri, 25 Feb 2022 08:41:36 +0000 Subject: [PATCH 1/3] Remove EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() shims LibreSSL 3.5.0 fails to compile with these shims. We could have just removed the LibreSSL check from the pre-processor condition, but it seems that these shims are no longer needed because all the supported versions of OpenSSL and LibreSSL have those functions. According to EVP_ENCRYPTINIT(3) manual page in LibreSSL, EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() first appeared in OpenSSL 0.9.8b, and have been available since OpenBSD 4.5. --- lib/isc/aes.c | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/lib/isc/aes.c b/lib/isc/aes.c index 16f723183b..d136bd4857 100644 --- a/lib/isc/aes.c +++ b/lib/isc/aes.c @@ -22,19 +22,9 @@ #include #include -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -#define EVP_CIPHER_CTX_new() &(_context), EVP_CIPHER_CTX_init(&_context) -#define EVP_CIPHER_CTX_free(c) RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(c) == 1) -#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - * defined(LIBRESSL_VERSION_NUMBER) */ - void isc_aes128_crypt(const unsigned char *key, const unsigned char *in, unsigned char *out) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - EVP_CIPHER_CTX _context; -#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - * defined(LIBRESSL_VERSION_NUMBER) */ EVP_CIPHER_CTX *c; int len; @@ -51,10 +41,6 @@ isc_aes128_crypt(const unsigned char *key, const unsigned char *in, void isc_aes192_crypt(const unsigned char *key, const unsigned char *in, unsigned char *out) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - EVP_CIPHER_CTX _context; -#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - * defined(LIBRESSL_VERSION_NUMBER) */ EVP_CIPHER_CTX *c; int len; @@ -71,10 +57,6 @@ isc_aes192_crypt(const unsigned char *key, const unsigned char *in, void isc_aes256_crypt(const unsigned char *key, const unsigned char *in, unsigned char *out) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - EVP_CIPHER_CTX _context; -#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - * defined(LIBRESSL_VERSION_NUMBER) */ EVP_CIPHER_CTX *c; int len; From 117dac11d1acb1378f6607287784197f1d1fd420 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Fri, 25 Feb 2022 09:00:52 +0000 Subject: [PATCH 2/3] Use autoconf check for BN_GENCB_new() BIND unconditionally uses shims for BN_GENCB_new(), BN_GENCB_free(), and BN_GENCB_get_arg() for all LibreSSL versions and, correctly, for OpenSSL <1.1.0 versions. This breaks LibreSSL compilation starting with LibreSSL 3.5.0. Use autoconf check instead to check whether the family of the functions are available. --- configure.ac | 1 + lib/dns/dst_openssl.h | 7 +++---- lib/dns/openssldh_link.c | 5 ++--- lib/dns/opensslrsa_link.c | 5 ++--- 4 files changed, 8 insertions(+), 10 deletions(-) diff --git a/configure.ac b/configure.ac index 0b17d34570..c6467b5e31 100644 --- a/configure.ac +++ b/configure.ac @@ -635,6 +635,7 @@ AC_COMPILE_IFELSE( # AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex]) +AC_CHECK_FUNCS([BN_GENCB_new]) AC_CHECK_FUNCS([CRYPTO_zalloc]) AC_CHECK_FUNCS([ERR_get_error_all]) AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free]) diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h index 911c285cb7..819af0fee1 100644 --- a/lib/dns/dst_openssl.h +++ b/lib/dns/dst_openssl.h @@ -24,20 +24,19 @@ #include #include -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#if !HAVE_BN_GENCB_NEW /* * These are new in OpenSSL 1.1.0. BN_GENCB _cb needs to be declared in * the function like this before the BN_GENCB_new call: * - * #if OPENSSL_VERSION_NUMBER < 0x10100000L + * #if !HAVE_BN_GENCB_NEW * _cb; * #endif */ #define BN_GENCB_free(x) ((void)0) #define BN_GENCB_new() (&_cb) #define BN_GENCB_get_arg(x) ((x)->arg) -#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - * defined(LIBRESSL_VERSION_NUMBER) */ +#endif /* !HAVE_BN_GENCB_NEW */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L /* diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index 2c9986089a..d5dbc2e889 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -360,10 +360,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { #if OPENSSL_VERSION_NUMBER < 0x30000000L DH *dh = NULL; BN_GENCB *cb = NULL; -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#if !HAVE_BN_GENCB_NEW BN_GENCB _cb; -#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - * defined(LIBRESSL_VERSION_NUMBER) */ +#endif /* !HAVE_BN_GENCB_NEW */ #else OSSL_PARAM_BLD *bld = NULL; OSSL_PARAM *params = NULL; diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index ccac492944..2e39bf69e2 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -383,10 +383,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { #if OPENSSL_VERSION_NUMBER < 0x30000000L RSA *rsa = RSA_new(); EVP_PKEY *pkey = EVP_PKEY_new(); -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#if !HAVE_BN_GENCB_NEW BN_GENCB _cb; -#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - * defined(LIBRESSL_VERSION_NUMBER) */ +#endif /* !HAVE_BN_GENCB_NEW */ BN_GENCB *cb = BN_GENCB_new(); #else EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); From 347ce4f5908387d07ecb78a34ea8baaac155e140 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Fri, 25 Feb 2022 09:22:10 +0000 Subject: [PATCH 3/3] Add CHANGES entry for [GL #3172] --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 6f2bdf0d87..5c828a6213 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5816. [bug] Make BIND compile with LibreSSL 3.5.0, as it was using + not very accurate pre-processor checks for using shims. + [GL #3172] + 5815. [bug] If an oversized key name of a specific length was used in the text form of an HTTP or SVBC record, an INSIST could be triggered when parsing it. [GL #3175]